-
Notifications
You must be signed in to change notification settings - Fork 0
77 lines (68 loc) · 2.1 KB
/
slsa.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
name: provenance
on:
workflow_call:
inputs:
image_digest:
description: 'Fully-qualified image digest to verify (registry/image@sha256:digest)'
required: true
type: string
auth_provider:
description: 'OIDC provider ID'
required: true
type: string
auth_user:
description: 'OIDC user ID'
required: true
type: string
permissions:
contents: read
jobs:
config:
runs-on: self-hosted
permissions:
contents: read
outputs:
image: ${{ steps.split.outputs.image }}
digest: ${{ steps.split.outputs.digest }}
steps:
- name: Export Config
id: split
run: |
echo "image=$(echo ${{ inputs.image_digest }} | cut -d@ -f1)" >> $GITHUB_OUTPUT
echo "digest=$(echo ${{ inputs.image_digest }} | cut -d@ -f2)" >> $GITHUB_OUTPUT
provenance:
needs:
- config
permissions:
actions: read
id-token: write
packages: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs.config.outputs.image }}
digest: ${{ needs.config.outputs.digest }}
registry-username: ${{ github.actor }}
gcp-workload-identity-provider: ${{ inputs.auth_provider }}
gcp-service-account: ${{ inputs.auth_user }}
verify:
needs:
- provenance
runs-on: self-hosted
permissions:
actions: read
id-token: write
steps:
- name: Auth to GCP
id: auth
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with:
token_format: "access_token"
workload_identity_provider: ${{ inputs.auth_provider }}
service_account: ${{ inputs.auth_user }}
- name: Install SLSA Verifier
uses: slsa-framework/slsa-verifier/actions/installer@c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc # v2.3.0
- name: Verify SLSA Provenance
run: |-
slsa-verifier verify-image ${{ inputs.image_digest }} \
--source-uri "github.com/$GITHUB_REPOSITORY" \
--source-tag "$GITHUB_REF_NAME"